26. Jan 2016 18:37 by a55de...@opayq.com:
> A CA will not validate a '.onion' address since it's not an official TLD > approved by ICANN. > I understand that. > The numbers aren't random. From Wikipedia: > "16-character alpha-semi-numeric hashes which are automatically generated > based on a public key <> https://en.wikipedia.org/wiki/Public_key> > when a > hidden > service > <> https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services> > > is > configured. I also know what asymmetric keys and hashes are. The question is: From a user perspective, http://3g2upl4pq6kufc4m.onion just looks like random characters. (And in fact, if it's a hash of a public key, which was originally randomly generated, then indeed these *are* random characters). You obviously don't want to memorize a domain name such as this, and as a human, you're very bad at recognizing the difference between http://3g2upl4pq6kufc4m.onion and http://xmh57jrzrnw6insl.onion What prevents a person from registering a new .onion site, such as http://laobeqkdrj7bz9pq.onion and then relaying all its traffic to http://3g2upl4pq6kufc4m.onion, and trying to get people to believe that *they* are actually the duckduckgo .onion site? When you see a link like http://3g2upl4pq6kufc4m.onion somewhere on the web (such as thehiddenwiki.org) why would you believe it's the real URL that duckduckgo created, and not somebody doing a MITM? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk